dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile
semgrep
Author
unknown
Download Count*
License
Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.
Run Locally
Run in CI
Defintion
rules:
- id: no-sudo-in-dockerfile
patterns:
- pattern: |
RUN sudo ...
message: Avoid using sudo in Dockerfiles. Running processes as a non-root user
can help reduce the potential impact of configuration errors and security
vulnerabilities.
metadata:
category: security
technology:
- dockerfile
cwe:
- "CWE-250: Execution with Unnecessary Privileges"
owasp:
- A05:2021 - Security Misconfiguration
references:
- https://cwe.mitre.org/data/definitions/250.html
- https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authorization
languages:
- dockerfile
severity: WARNING
Examples
no-sudo-in-dockerfile.dockerfile
# Use an official Ubuntu 20.04 as base image
FROM ubuntu:20.04
ENV DEBIAN_FRONTEND noninteractive
# ok: no-sudo-in-dockerfile
RUN apt-get update && apt-get upgrade -y
# ok: no-sudo-in-dockerfile
RUN apt-get install -y sudo
RUN useradd -ms /bin/bash newuser
RUN echo "newuser ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers
USER newuser
# ruleid: no-sudo-in-dockerfile
RUN sudo apt-get install -y curl
CMD ["echo", "Hello, Docker!"]
Short Link: https://sg.run/80Q7